Replacing a Federation Trust Certificate When the Original Certificate is Missing

Exchange 2010 federation allows organizations to share calendar free/busy information (also known as calendar availability) and contact information with external recipients, vendors, partners, and customers. This is accomplished by creating a trust with Microsoft’s Federation Gateway. This cloud-based service offered by Microsoft acts as the trust broker between your on-premises Exchange 2010 organization and other federated Exchange 2010 organizations. For more information about Exchange federation, see Understanding Federation.

To configure federation you install an Exchange certificate, enable the certificate for Federation, and create a federation trust with Microsoft Federation Gateway. Eventually you will need to replace this certificate, either for business reasons or when the certificate expires. The usual way of doing this is to install a new Exchange certificate and configure it as the “Next Certificate” in the Manage Federation Certificate wizard, as shown below.

When you’re ready to replace the current federation certificate you simply run the Manage Federation wizard, select the “Roll certificate to make the next certificate as the current certificate” check box, and complete the wizard. What was the Next Certificate becomes the Current Certificate, and the Current Certificate becomes the Previous Certificate.

I ran into an interesting issue where the process above did not work. The customer deleted the Current Certificate from the computer’s local certificate store, rather than roll the Next Certificate into the current certificate’s place. This causes the Manage Federation wizard t break because it can’t locate the Current Certificate. I was also unable to use the Set-FederationTrust cmdlet in EMS – it would give the same error: